The risks of using Claude Code with company source code fall into three groups: your code and prompts leave the developer’s machine for a cloud model, where retention and training depend on the account; the agent reads files, runs shell commands, uses Git, and connects to Model Context Protocol (MCP) servers with the developer’s own permissions, so a wrong command or a prompt injection can reach secrets or take action; and without enterprise controls, security teams cannot prove what code went where.

Last updated: June 2026.

What Claude Code can reach on a developer’s machine

Claude Code runs as an autonomous agent in the developer’s terminal or editor, with the same permissions as the person who launched it. By default it starts read only and asks before it acts, then requests approval to change anything, and teams set lasting allow and deny rules in a settings file (Anthropic, 2026).

Inside an approved session, Claude Code can:

• Read files across the repository and, unless denied, other paths on the machine.
• Edit and create files, including configuration and build scripts.
• Run shell commands, which can install packages, run tests, or touch the wider system.
• Use Git to stage, commit, and push changes.
• Fetch URLs and connect to Model Context Protocol (MCP) servers and the tools behind them.

That access is what makes the tool useful and what makes it a security surface. The question for a security team is not whether Claude Code is powerful. It is which of these actions touch company source code, credentials, and systems, and who decides the boundaries. Securing AI coding assistants starts with answering exactly that.

Where your source code goes, and what can be retained

Claude Code is cloud inference, so the repository context and prompts it works on leave the device for a model. What happens to that code next depends on the account and route, not on the tool.

Under commercial terms, which cover Team and Enterprise plans, the Claude API, and cloud platforms such as Amazon Bedrock and Google Vertex AI, Anthropic does not train its models on the code or prompts sent to Claude Code, standard retention is 30 days, and zero data retention (ZDR) is available per organization on Claude for Enterprise (Anthropic, 2026). On personal Free, Pro, or Max accounts the posture is different: code can be used to train models when the training setting is on, which since the August 2025 consumer terms is the default for paid consumer plans unless a developer opts out, with a longer retention window. The single account a developer signs in with can decide whether your source code is protected or kept for model training.

There is also a local copy. Claude Code stores session transcripts in plaintext under a folder in the developer’s home directory for 30 days by default, so proprietary code and prompts also sit unencrypted on the endpoint until that window clears. Source code is among an enterprise’s most valuable intellectual property (IP), and whether it stays protected turns on a choice made at sign in. That is not a decision to leave to each developer, which is the same problem AI usage control exists to solve.

Prompt injection turns reading a repo into running a command

The sharper source-code risk is not the model memorizing your code. It is untrusted content steering the agent. Claude Code reads files, dependencies, issue trackers, and web pages, and an instruction hidden in any of them can attempt to make the agent read secrets, run shell commands, or push code.

This is a documented class of attack. OWASP ranks prompt injection first in its Top 10 for Large Language Model Applications, as LLM01, alongside Sensitive Information Disclosure (LLM02) and Excessive Agency (LLM06), the risk that an agent takes actions beyond what the task required (OWASP, 2025). For the mechanics of the attack class, see what is prompt injection.

Anthropic built sandboxing into Claude Code partly to contain this. With filesystem and network isolation enabled, a successful prompt injection is boxed in, so a compromised session cannot read SSH keys or reach an attacker’s server, as Anthropic’s engineering team describes. The limits matter as much as the feature. Sandboxing is off until a developer turns it on, the file read and edit tools operate outside it, and it is not a complete isolation boundary. Defense against an agent that can act has to assume the model will sometimes be wrong or manipulated, which points to controls in the execution path rather than trust in the developer or the model alone.

Connected tools and MCP widen what one prompt can reach

Claude Code becomes far more capable, and far more exposed, the moment it connects to Model Context Protocol (MCP) servers. MCP lets the agent call external tools, hit internal application programming interfaces (APIs), and retrieve data, so a single prompt can reach systems well beyond the repository in front of the developer.

The surface is already large and largely unguarded. Censys counted more than 12,520 internet-accessible MCP services in early 2026, and the protocol does not require authentication by default (Censys, 2026). At the same time, only 21% of organizations maintain a real-time inventory of the AI agents already running in their environment, which leaves most of the agent and tool surface unmonitored (Cloud Security Alliance, 2026).

An agent that can chain tool calls inherits the reach of every tool it can invoke. Governing that path, the tool-execution channel, not just the prompt, is what limits how far a single instruction travels. That is the runtime model behind agentic AI security architecture.

The real exposure is ungoverned adoption, not a single breach

Most source-code exposure through coding assistants does not look like an attack. It looks like ordinary work: a developer reaching for a free or personal account on a deadline, pasting a snippet into whatever assistant is open, or wiring up a new MCP server without telling anyone. The same pattern drives AI data leakage across the rest of the business.

That ordinary use adds up. Adoption is near universal, with AI in 88% of organizations (Stanford HAI, 2026), and the slice of it that runs outside the security team’s view carries a measurable cost: breaches involving shadow AI ran about $4.63 million on average, roughly $670,000 more than breaches without a shadow-AI component (IBM Cost of a Data Breach Report, 2025).

The reason this stays invisible is architectural, not a failure of any one team. Web and software-as-a-service (SaaS) era controls, the security service edge (SSE), cloud access security broker (CASB), data loss prevention (DLP), and secure web gateway (SWG) tools most enterprises already run, were built to govern destinations and browser sessions, and a command-line coding agent does not look like a website. The table maps where each layer acts.

Aurascape works alongside an existing SSE, CASB, DLP, or SWG stack rather than replacing it. The contrast is not that those tools do nothing for AI. It is that they were built for web and SaaS traffic, while a coding agent runs over command-line and thick-client paths and calls tools directly (Aurascape, 2026).

How to let developers use Claude Code without losing control of source code

The goal is not to ban Claude Code. Used on the right account with the right controls, it speeds delivery, and the security job is to make the safe path the default. In one Aurascape deployment, governing AI coding assistants and agent integrations inline helped a Fortune 100 insurance and financial enterprise deliver code 40 percent faster and triple its AI agent integrations with no unauthorized data access, while protecting more than 20,000 users (Aurascape, 2026).

A practical evaluation works through the same questions in order:

1. Decide the route and account. Require enterprise terms or a cloud platform such as Bedrock or Vertex, and keep company source code off personal free-tier accounts.
2. Scope permissions. Set allow and deny rules so the agent cannot read secrets files, keys, or credentials, and cannot run destructive or network commands without review.
3. Turn on sandboxing and fail closed. Enable filesystem and network isolation, and configure it to error rather than silently fall back to an unsandboxed run.
4. Constrain MCP. Approve which Model Context Protocol servers and tools the agent may connect to, rather than letting each developer add their own.
5. Govern the tool-execution path inline. Verify and sign approved tool calls and block unsigned ones, so execution cannot route around the control.
6. Capture decoded, conversation-level interaction records for audit and effectiveness, governed by role-based access control (RBAC) for privacy.

Aurascape applies that control as an interaction layer across the network, endpoint, and API planes, including the command-line and non-browser agent paths a coding assistant uses. It decodes prompts, responses, and tool calls with conversation-level context, distinguishes a personal account from a sanctioned enterprise one through entitlement and Intentions, and coaches developers toward approved tools while applying context-aware actions to allow, coach, warn, block, or redact (Aurascape, 2026).

For the agent side, the Zero-Bypass MCP Gateway verifies and signs approved tool calls and blocks unsigned ones, with cross-call data lineage across chained actions, and the AI Proxy inspects each model interaction for data leakage and prompt injection in real time. Because new coding assistants launch constantly, Aurascape also catalogs brand-new tools as they appear on the web and finds the assistants already running across endpoints, so a tool is governed before the first developer adopts it. A sanctioned Claude Code deployment is governed through the same entitlement and intention controls, not only blocked when it is not approved.

Frequently asked questions

Does Claude Code retain company source code?

It depends on the account. Under commercial terms, which include Team and Enterprise plans, the Claude API, and cloud platforms such as Bedrock and Vertex, Anthropic does not train on your code and retains it for 30 days by default, with zero data retention available per organization on Claude for Enterprise. Personal Free, Pro, and Max accounts can have code used for model training and held longer. Claude Code also keeps local session transcripts in plaintext on the developer’s machine for 30 days by default.

Can Claude Code run shell commands and change files?

Yes. Claude Code can read and edit files, run shell commands, use Git, fetch URLs, and call connected tools, all with the same permissions as the developer who started it. It asks before acting by default and honors allow and deny rules, and optional sandboxing adds operating-system-level filesystem and network isolation, though the file read and edit tools run outside that sandbox.

Is Claude Code safe to use with proprietary code?

It can be, with the right setup. Route it through enterprise terms or a cloud platform rather than a personal account, restrict permissions and secrets, enable sandboxing, approve which Model Context Protocol servers it can reach, and add an inline control layer that sees the command-line and agent traffic and governs tool calls. The account and the controls decide the risk, not the tool by itself.

What evidence do security teams get from Claude Code?

Natively, evidence is local and per developer: session transcripts on each machine, enterprise managed settings and telemetry metrics, and provider logs such as AWS CloudTrail on Bedrock or Vertex. Organization-wide, decoded, conversation-level records that show what code and which tool calls left the environment require a control layer in the interaction path, kept for audit and effectiveness and governed by role-based access control (RBAC) for privacy.

Aurascape lets enterprises give developers tools like Claude Code without handing over control of their source code, by governing the account, the conversation, the data, and every tool call in the live interaction rather than after the fact. A short demo shows where source code is leaving today and the controls that keep it protected as AI coding adoption grows.

See how Aurascape governs AI coding assistants →